Fix CORS issues

[Pantus Oleh (zibet27)]

Subsystem
Server CORS

Motivation
KTOR-9659 CORS is skipped when the Origin header contains an IPv6 address

KTOR-9636 CORS plugin drops OPTIONS preflight requests when allowSameOrigin is on

Solution

• KTOR-9636 — Preflight is now handled by the plugin even when the origin matches the server; regular same-origin requests still skip CORS as before
• KTOR-9659 — Origin validation and normalization now account for IPv6 bracket syntax when locating the port

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8269f6f1-0ead-48b1-b27b-d7f940378af6

📥 Commits

Reviewing files that changed from the base of the PR and between 7fe674e and 9523c52.

📒 Files selected for processing (3)

• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSConfig.kt
• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSUtils.kt
• ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt

✅ Files skipped from review due to trivial changes (1)

• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSConfig.kt

🚧 Files skipped from review as they are similar to previous changes (1)

• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSUtils.kt

---

📝 Walkthrough

Walkthrough

This PR enhances CORS preflight handling and origin port parsing. It adds ApplicationRequest.isCorsPreflightRequest(), a findPortDigitStartIndex() helper used by isValidOrigin/normalizeOrigin (improving IPv6-literal port handling), treats same-origin preflight OPTIONS as handled by CORS, updates KDoc, and adds tests for same-origin preflight and IPv6 origins.

Changes

CORS preflight and origin validation

Layer / File(s)	Summary
Preflight detection and origin port validation utilities ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSUtils.kt	Adds ApplicationRequest.isCorsPreflightRequest() to detect OPTIONS preflight. Introduces findPortDigitStartIndex() to locate port digits (handles IPv6 brackets). Updates isValidOrigin and normalizeOrigin to use the helper and determines explicit numeric ports via NUMBER_REGEX. Minor reformatting of corsCheckOrigins logging.
Same-origin preflight handling in CORS logic ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORS.kt, .../cors/CORSConfig.kt, .../cors/routing/CORS.kt	checkOrigin now treats same-origin preflight requests (OPTIONS + Access-Control-Request-Method) as OK (handled by CORS) while non-preflight same-origin requests remain SkipCORS. KDoc for allowSameOrigin and route-scoped CORS updated to document the preflight exception.
Test coverage for preflight and IPv6 origins ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt	Extends testSameOriginEnabled to assert same-origin preflight OPTIONS behavior and adds ipv6LiteralOriginIsAccepted to validate bracketed IPv6 origins with/without ports/trailing slashes and reject malformed ports or brackets.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Stexxe
• bjhham

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Fix CORS issues' is vague and generic, using non-descriptive language that doesn't convey the specific problems or solutions involved in the changeset.	Use a more specific title such as 'Handle CORS preflight requests and IPv6 origins properly' to clearly indicate the main changes addressed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description is complete and well-structured, following the template with clear subsystem identification, specific issue references (KTOR-9659 and KTOR-9636), and concise solutions for each issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch zibet27/fix-cors-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt (1)

999-1000: ⚡ Quick win

Use the repository’s backtick test naming style for the new case.

Please rename this new test to a descriptive backtick form so it matches the test guideline used for new Kotlin tests.

Suggested rename

-    fun ipv6LiteralOriginIsAccepted() = testApplication {
+    fun `accepts bracketed IPv6 origins and rejects malformed ones`() = testApplication {

As per coding guidelines, "**/*Test.{kt,kts}: Prefer descriptive test names in backticks: describe what is being tested."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt`
around lines 999 - 1000, Rename the test function ipv6LiteralOriginIsAccepted to
the repository’s backtick descriptive style (e.g. `ipv6 literal origin is
accepted`) by changing the Kotlin function declaration fun
ipv6LiteralOriginIsAccepted() to a backticked name (fun `ipv6 literal origin is
accepted`()) while keeping the `@Test` annotation and the testApplication body
unchanged; locate the function ipv6LiteralOriginIsAccepted in CORSTest.kt and
update only its identifier to the backtick form to match the test naming
guideline.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSConfig.kt`:
- Around line 153-155: Update the KDoc in CORSConfig.kt to stop implying
preflight requests always succeed; state that same-origin CORS preflight OPTIONS
requests with Access-Control-Request-Method are still handled/evaluated by the
CORS plugin (not skipped) and may be rejected (e.g., respondPreflight() can
return 403 when the requested method/headers are disallowed). Mention the CORS
plugin's evaluation behavior instead of saying they "receive a successful
response" and keep the language consistent with respondPreflight() and the
plugin's enforcement logic.

In
`@ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSUtils.kt`:
- Around line 138-156: The logic in findPortDigitStartIndex has the IPv6 and
non-IPv6 branches swapped; when isIpv6 is true you should look for the closing
']' and then a ':' after that (use ipv6LiteralEndIndex and portSeparatorIndex to
compute port start or origin.length), and when isIpv6 is false you should scan
from hostStartIndex for the first ':' (port), '/' (end of host), or '?'
(malformed) and return the appropriate index or -1; update the branches in
findPortDigitStartIndex accordingly so bracketed IPv6 literals are handled by
the ']' lookup and plain hosts are handled by character scanning.

---

Nitpick comments:
In
`@ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt`:
- Around line 999-1000: Rename the test function ipv6LiteralOriginIsAccepted to
the repository’s backtick descriptive style (e.g. `ipv6 literal origin is
accepted`) by changing the Kotlin function declaration fun
ipv6LiteralOriginIsAccepted() to a backticked name (fun `ipv6 literal origin is
accepted`()) while keeping the `@Test` annotation and the testApplication body
unchanged; locate the function ipv6LiteralOriginIsAccepted in CORSTest.kt and
update only its identifier to the backtick form to match the test naming
guideline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e2a69531-4218-4c6f-a3c0-4c838428fac4

📥 Commits

Reviewing files that changed from the base of the PR and between bf42162 and 3a86540.

📒 Files selected for processing (5)

• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORS.kt
• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSConfig.kt
• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/CORSUtils.kt
• ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/routing/CORS.kt
• ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt